Fetching from the git repositories over https?

Adam Plaice plaice.adam+notmuch at gmail.com
Sun Jan 28 09:26:08 PST 2018


I apologise if I'm asking in the wrong place.

Is it possible to clone/fetch from the notmuch git repositories
(particularly https://git.notmuchmail.org/git/notmuch) over https
rather than with the `git://' protocol?  (None of the likely
alternatives seem to work.)

If not, would it be inconvenient for this to be enabled, as an
option (if not the recommended one)?

Having such an option would be valuable for the purposes of MELPA and
MELPA stable (the Emacs package archives which provide an alternative,
slightly controversial, way of installing the Notmuch Emacs
interface).  Since the scripts that build the package archives fetch
from upstream sources (such as git://git.notmuchmail.org/git/notmuch)
automatically (without human oversight or code inspection) and the
`git://' protocol does not provide any authentication, there is
currently no guarantee that when the MELPA server tries to connect to
notmuchmail.org it's not actually being "Man-in-the-middled" by a
malicious third party.  As a result, it would be possible for such a
third party to introduce some changes to the Elisp code, that would
compromise the machines of any users who install the modified package.

Using https would raise the bar, from anybody who can hijack the
connection between MELPA and notmuchmail.org, to those who can compromise
the SSL certificate chain.

Thank you for your time and thank you for notmuch,
Adam


More information about the notmuch mailing list